What is a Cross Site Request Forgery (CSRF)?

A CSRF is a type of exploit that a malicious website or attacker could employ to have a user send unauthorized commands to a website or application.  It is a type of confused deputy attack against a user’s web browser that tricks it to send malicious HTTP requests to a target website.

Some CSRF techniques are trivial to employ.  For example, it is possible to place an arbitrary URL within an HTML IMG tag which will convince your browser to run an HTTP GET against that URL.

Try out this example that uses RequestBin.  I added an image tag to a page in my local web setup.

<img src="http://requestb.in/vzwvagvz">

When I checked RequestBin then I could see what the request from my browser looked like to the external service.

Screen Shot 2015-11-25 at 11.13.23 AM

CSRF exploit example

A malicious HTTP GET can potentially expose sensitive information.  For HTTP GET requests, the state of the system rarely changes meaning that lasting damage can be limited.  What can be more troubling is when a browser is tricked into performing an HTTP POST using a maliciously designed HTML form.

Continue Reading…

If you have been participating in the Sugar 7.7 Beta then you may have noticed that SugarCRM Engineering has refactored how CreateViews work in the Sugar application.

This post explains the motivations for the change and what Sugar Developers need to know and the actions they need to take to migrate their customizations in future Sugar 7.x releases.

Differences between Create and CreateActions

Historically, there has been some confusion in the Sugar Developer community (see here and here) around the existence of two different Create dialog layouts in the Sugar application.

Continue Reading…

About TethrOn

TethrOn is a mobile field sales and service enablement platform that has a number of different pre-built integrations to back-end systems. The team behind TethrOn recently decided to become a SugarCRM Technology Partner in order to provide connectivity to Sugar with their mobile platform. Their architect gave the experience rave reviews:

Sugar was by far the easiest CRM system to integrate in our experience to date. This is mainly due to the robust set of APIs provided out of the box to support integrations over REST combined with clear documentation on best practices for extending the Sugar v10 REST interface.   In addition, what is provided out of the box is well thought out with respect to useful integration patterns.

TethrOn created a proof of concept in 3 weeks and released their production Sugar connector in just 8 weeks!

Sugar Object Mapping within TethrOn

Sugar Object Mapping within TethrOn

If you want to learn more about TethrOn, please visit http://www.tethron.com/.

Below David Valko from aMind Solutions, the company behind TethrOn, shares the successful pattern they applied for building their integration to Sugar.

Continue Reading…

Have you checked out Sugar University lately?  SugarCRM provides Hot Topic Webinars designed specifically for Sugar Developers.  This is a great way to keep on top of how to take advantage of latest technology in Sugar and keep those development skills sharp!

Sugar 7 Sidecar Essentials Webinar

For example, we have an upcoming Sugar 7 Sidecar Essentials Developer Webinar on December 10th at 9:00am PST.  Visit the link to register for this live webinar!  This will be a great one for those just getting their hands dirty with Sugar development or if you have ambitions to become a certified Sugar Developer Specialist.

Webinar Recordings

If you have been missing them or cannot make it then never fear! Each webinar is recorded and those recordings are available for download via Sugar University.

Continue Reading…

Global Partner Summit 2015

This year’s SugarCRM Global Partner Summit took place over the course of 2 days last week in Cascais, Portugal.  Partner Summit is an annual opportunity for SugarCRM and our valued business partners (Resellers, Technology partners, Systems Integrators, and OEMs) to get together to share experiences and learn from each other.

Tech Track @ GPS 2015

A few (lucky) engineers and managers from SugarCRM Engineering team and other tech teams such as Support, Operations, Alliances, and Professional Services were on hand to run the GPS Tech Track.  Tech Track provided 2 half days worth of technical presentations and special topic breakout sessions designed specifically for Sugar Developers that work for our partners.

Ultimately, since our Partner Community is so diverse our goal was to create a technical event that helps align everyone on best practices for tooling, dev methodology, quality assurance, and continuous integration/DevOps.  We also included plenty of special topic breakout sessions that allowed partner developers to get deeper on topics that are interesting to them.

Continue Reading…

What are Sugar Integration Building Blocks?

This is a new effort to create an open source library of re-usable common components that can be easily adapted by developers interested in integrating applications with Sugar 7.  This project is focused on the needs of SugarCRM ISVs and Technology partners that want to build integrations and get them listed on Sugar Exchange quickly and painlessly so they can be offered to Sugar customers.

This new open source project is hosted on Github at https://github.com/sugarcrm/BuildingBlocks and is accepting contributions from the Sugar Developer community.

Watch this project because more and more components and examples will be added in the coming months.

Contextual Frame Dashlet Package

One of the first building blocks is an easy to use iframe dashlet that passes contextual information about the current page to the iframe using URL parameters.  In the current package, the context that is passed is the record id (when there is one) and the module name.  The external endpoint can then use that context to create an appropriate UI to present in the iframe.

This dashlet can be easily used to create a lightweight UI integration with an external application.  It can be deployed as-is for a Proof of Concept or demonstrations or it can be easily customized for additional tailored capability.

Contextual iFrame Dashlet configuration page

Contextual iFrame Dashlet configuration page

It also happens to be a good example of a Dashlet that uses a configuration page in order to manage settings such as the base URL and the frame’s height.

Continue Reading…

Sugar Engineering is proud to announce the Beta release of the open source Sidecar Debugger Tools project!

Sidecar Debugger Tools

This project was developed as part of the recent Partner hack week where it was a crowd favorite.  Not only is this a great developer tool for debugging and building Sugar Sidecar components, it is also useful as a learning tool for understanding the components on each page and how views, fields, and layouts work together.

It is a Chrome Developer Tools extension that adds a SugarDebug tab into your Developer Tools panel.  And it’s loaded with features that will help you build Sidecar components faster and make debugging issues easier!

It’s easy to install!  Just follow the steps on the project README.

Continue Reading…